AI Agents Need Identity: Who's Behind the Machine?
40% of enterprise apps feature AI agents by end-2026 (Gartner). Only 23% of organisations have a formal identity strategy. Missing layer: human verification.
40% of enterprise applications will feature task-specific AI agents by end-2026 (Gartner), but only 23% of organisations have a formal AI agent identity strategy. The missing layer is not machine credentials ā it is human verification at the root of every agent's delegation chain. Without that, every autonomous action lacks an accountable person.
At RSAC 2026 last week, IBM, Auth0, and Yubico announced a partnership to solve what they called the great emerging challenge in enterprise AI ā proving that a verified human approved high-risk actions taken by autonomous agents. Meanwhile, NIST opened a public comment period on AI agent identity and authorization. The Cloud Security Alliance published research showing that only 23% of organisations have a formal strategy for managing AI agent identities. And Gartner predicts that 40% of enterprise applications will feature task-specific AI agents by the end of 2026, up from less than 5% in 2025.
Something has shifted. The identity industry spent a decade arguing about passwords versus passkeys. Now, the question is no longer just "how do we verify people?" ā it is "how do we verify the machines acting on their behalf, and how do we trace those machines back to a real human?"
This article examines what is happening, why the current identity infrastructure is not built for it, and what the path forward looks like.
The Scale of What Just Changed
AI agents are no longer chatbots that answer questions. They write code, execute financial transactions, negotiate with other agents, modify production systems, and interact with sensitive data ā autonomously, at machine speed, across multiple environments simultaneously.
The numbers are striking. According to research commissioned by Strata Identity and conducted by the Cloud Security Alliance, 100% of organisations surveyed have agentic AI on their roadmap. More than half already have agents in production. A quarter are planning decision-making agents ā systems that take actions without human approval for each step.
The non-human identity (NHI) market reflects this acceleration. Machine identities now outnumber human users by ratios exceeding 17:1 in large organisations. The NHI access management market was valued at $11.3 billion in 2025 and is projected to reach $38.8 billion by 2036. Meticulous Research attributes this growth to autonomous AI agents expanding the scope of the NHI problem well beyond what enterprises encountered even eighteen months ago.
Yet governance has not kept pace. The Cloud Security Alliance survey found that only 23% of organisations have a formal, enterprise-wide strategy for agent identity management. Another 37% rely on informal practices. Ownership is fragmented across security teams, IT departments, and emerging AI security functions, with no clear accountability.
The Kiteworks 2026 Forecast Report was blunt: today's agentic systems lack the foundations ā reliable identity verification, authorization boundaries, and accountability structures ā on which meaningful governance depends.
The Problem: Authenticated but Not Verified
Here is the core tension. Traditional identity systems were built for humans. Passwords, MFA, biometrics ā all designed to answer a single question: is this person who they claim to be?
Non-human identity management took a different path. Service accounts, API keys, OAuth tokens ā designed to answer: is this system authorised to perform this action?
AI agents break both models. They are not humans, but they act on behalf of humans. They are not static service accounts, but they use credentials. They reason, delegate, and make decisions ā sometimes spawning new agents that inherit permissions. Traditional IAM was not built for entities that appear, act, and disappear in milliseconds.
Nametag CEO Aaron Painter captured the paradox at RSAC 2026: we are not far from a world where someone says "I didn't do that ā my agent did. My agent approved this. My agent bought this thing." His conclusion was direct: you need a human behind that agent who is accountable, and an audit trail that lets you go back and verify that human.
This is not theoretical. The Cloud Security Alliance found that teams continue to share human credentials and access tokens with agentic users in the absence of better solutions. It is no wonder, the report noted, that AI programmes are stalling and failing to generate measurable impact.
NIST, the EU AI Act, and the Regulatory Signal
The regulatory landscape is moving fast. In February 2026, NIST released a concept paper on AI agent identity and authorization. (See also our deep dive on whether AI agents can legally hold signing authority.) The paper proposes a demonstration covering identification (distinguishing agents from humans), authorization (defining agent rights), access delegation (linking user identities to agents), and logging (linking agent actions to their non-human entity). Comments were due April 2.
The EU AI Act, already in force, requires human oversight for high-risk AI systems. The practical question organisations now face: what does "human oversight" mean when the human has delegated authority to an agent operating across multiple systems at machine speed?
The emerging answer centres on what RSAC 2026 called Human-in-the-Loop authorization. IBM, Auth0, and Yubico's partnership defines the model: AI agents operate autonomously for routine tasks but require cryptographically verified human approval for high-stakes actions ā large financial transfers, production code deployments, access to sensitive data.
The critical word is "cryptographically verified." Not a username and password. Not a shared credential. A verifiable, non-repudiable proof that a specific human authorised a specific action.
Why Passkeys Alone Do Not Solve This
The identity industry is in the middle of its own shift. Passwordless authentication ā passkeys based on FIDO2/WebAuthn ā is reaching an inflection point. The FIDO Alliance reports 15 billion passkey-enabled accounts by end of 2024, doubling year-over-year. Hypr's 2026 report found 71% of organisations moving toward passwordless adoption.
For human authentication, passkeys are a significant improvement. They are phishing-resistant, device-bound, and eliminate shared-secret vulnerabilities.
But for the AI agent identity problem, passkeys solve only part of the equation. They verify that a device is present and that someone with biometric access to that device approved an action. They do not independently verify who that person is. A passkey tied to a compromised device or a social-engineered recovery process can still produce a valid authentication event.
This matters profoundly in the agentic context. When an AI agent executes a ā¬500,000 transaction and the audit trail must prove which human authorised it, the chain of accountability needs to start with identity proofing ā not just device authentication. The question is not "was a valid device present?" but "was a verified human behind that device, and can we prove it?"
Ping Identity's HITL framework specifies the requirement explicitly: every human in the loop must be authenticated, authorised, and traceable. No anonymous reviewers. No shared logins.
The Three-Layer Model That Is Emerging
The industry is converging on a layered architecture for AI agent identity.
Layer 1: Agent identity. Each AI agent receives a verifiable credential ā a certificate, a SPIFFE identity, or an entry in an agent registry ā identifying what the agent is, what it is authorised to do, and under whose authority it acts. CyberArk, Okta, Microsoft Entra, HashiCorp, and Strata are building this layer. This is where the $38.8 billion NHI market lives.
Layer 2: Delegation chain. Every agent action links to a human authoriser through a delegation chain that preserves accountability. The agent acts on behalf of a verified human, and that relationship is logged. The IBM/Auth0/Yubico partnership and Delinea/Yubico integration target this layer.
Layer 3: Human identity proofing. The human at the root of the chain is verified ā not just authenticated. Their identity is established through a process that goes beyond device possession to prove who they actually are. This is the layer most current investments overlook. And it is the layer that determines whether the entire chain is trustworthy. AI agent identity verification provides this layer with passport-chip-based proofing for the human at the root of every agent's delegation.
Phil Calvin, Delinea's chief product officer, described the goal at RSAC: combining identity governance with hardware-backed human authorization to create a trusted chain of control ensuring every high-risk AI agent action can be traced back to a verified human decision.
The chain is only as strong as its anchor. If the human at the root is verified through a password, a shared credential, or a device-only passkey, the chain inherits that weakness. If the human is verified through a cryptographic identity proof ā based on a government-issued document that cannot be deepfaked ā the chain is structurally sound.
Where Biometric Passports Become the Root of Trust
This is where the conversation connects to something physical: the NFC chip inside a modern biometric passport.
That chip contains digitally signed identity data issued by a sovereign government under ICAO 9303 standards. It is protected by hardware security. It cannot be cloned, phished, or deepfaked. It is available in roughly 180 countries and regions worldwide ā covering virtually every person who might need to be verified as the human behind an AI agent, a digital transaction, or a cross-border workflow.
At IdentiGate, we built our platform on this foundation. A person scans their biometric passport with a smartphone. The NFC chip's cryptographic signature is verified against the issuing country's public key. Liveness detection confirms the person is physically present. In 90 seconds, they have a device-bound digital identity that serves as the anchor point for any delegation chain ā whether that chain leads to an AI agent, an eCMR signature, or a financial transaction.
In the three-layer model, IdentiGate provides Layer 3: the cryptographic human identity proof at the root. Layer 1 (agent identity) and Layer 2 (delegation chain) are built by the IAM ecosystem. Layer 3 is what makes the other two trustworthy.
The principle is consistent across use cases. In logistics, it answers "who signed this eCMR?" In fintech, it answers "who authorised this KYC decision?" In agentic AI, it answers "which verified human is accountable for this agent's actions?" The underlying technology is the same: cryptographic identity proofing from a government-issued document.
What Should Organisations Do Now?
Based on the RSAC 2026 announcements, the NIST concept paper, and the Cloud Security Alliance research, three priorities are clear.
Stop sharing human credentials with AI agents. The CSA survey found this is still common practice. It is the single largest governance risk in agentic deployments. Agents need their own identities, tied to ā but separate from ā their human delegators.
Define which actions require Human-in-the-Loop. Not every agent action needs human approval. But financial transactions, sensitive data access, and system changes do. Build policy thresholds now, before the EU AI Act enforcement mechanisms mature.
Solve identity proofing at the root. The delegation chain from human to agent is only as trustworthy as the identity at its origin. Device-bound passkeys are a good authentication step. But for high-stakes agentic workflows, the root identity needs to be proofed ā not just authenticated. Cryptographic verification through biometric passports provides the strongest available anchor.
The World Economic Forum's Global Cybersecurity Outlook 2026 reports that 87% of respondents identified AI-related vulnerabilities as the fastest-growing cyber risk over the course of 2025. The enterprises that solve the identity problem first will be the ones that deploy AI agents at scale ā confidently, compliantly, and with a human they can point to when it matters.
Because an AI agent with credentials is not the same as an AI agent with accountability. And accountability starts with knowing who is behind the machine.
Sources
Market data and forecasts
- Gartner ā 40% of Enterprise Apps Will Feature Task-Specific AI Agents by 2026 (August 2025 press release)
- Meticulous Research ā NHI Access Management Market: $11.3B in 2025 to $38.8B by 2036
- FIDO Alliance ā Passkey adoption doubles in 2024: more than 15 billion online accounts (December 2024)
- World Economic Forum ā Global Cybersecurity Outlook 2026 (87% cite AI-related vulnerabilities)
Research on agentic identity governance
- Cloud Security Alliance / Strata Identity ā "Securing Autonomous AI Agents" (February 2026) ā 23 % of organisations have a formal agent-identity strategy
- Kiteworks ā 2026 AI Agent Data Governance Report
- Strata Identity ā Human-in-the-Loop for AI Agents (March 2026)
Regulation and standards
RSAC 2026 context
- Biometric Update ā AI agent identity and next-gen authentication at RSAC 2026 (March 2026)
- Security Boulevard ā Authenticated but Not Verified: the Workforce Identity Gap (Nametag at RSAC 2026)
- Solutions Review ā Identity Security Predictions 2026
ePassport adoption
- Signicat ā What countries have ePassports? (December 2025) ā ~180 countries and regions issuing biometric passports
IdentiGate provides cryptographic human identity proofing from biometric passports in ~180 countries and regions ā the root-of-trust layer for Human-in-the-Loop AI agent authorization, cross-border digital signing, and regulated identity workflows. Learn more at identigate.com
About the author
Gustav Poola is co-founder of IdentiGate. He focuses on the technical architecture of passport-chip identity verification, advanced electronic signature production under eIDAS, and the engineering of identity flows that survive regulator and auditor walk-back.